[sudo-users] Adding support to sudo to open a file with elevated privileges
Ed Neville
ed-sudo at s5h.net
Sun Sep 5 10:31:36 MDT 2021
On 2021-09-05 17:26+0200, Piotr Dobrogost wrote:
> On Sun, Sep 5, 2021 at 3:15 PM Ed Neville <ed-sudo at s5h.net> wrote:
> >
> > That's something that I think it has already. You can use sudoedit to
> > write the file, but you need to set the EDITOR as tee or cat:
> >
> > <https://www.usenix.org.uk/content/sudo.html#safe-file-edits>
> >
> > echo "something" | EDITOR=/bin/tee sudoedit /etc/config_file >/dev/null
>
> Interesting.
> However I fail to see how it is better than simpler
>
> echo "something" | sudo /bin/tee /etc/config_file >/dev/null
>
> already mentioned as a suggested way of handling this?
>
> What you proposed still uses external binary (tee), still requires
> redirection of standard output and in addition uses additional
> features of sudo not required when using simpler form.
Better, IMO, as sudoedit handles the write in an atomic way (writes to
tmp, then renames to destination).
To permit in the ACL in a similar way for append/overwrite needs to
permit mv and the various editors you permit the user to write the file
with an editor of their choice, this defines the action (edit) rather
than the execution.
To my mind, it ends up being less complex in sudo config terms doing it
with mv, even if --out was an option. I think you'd end up needing to
cater for various places that --out can write to, such as /etc/shadow.
Ed
More information about the sudo-users
mailing list